This Part II focuses on the Conseil d’Etat’s decision, for more information about the CNIL’s position, see our Part I, here.
Timeline and Context of the Health Data Hub Case
On October 8, the CNIL, submitted its opinion against the hosting of a public health data lake by Microsoft due to concerns that U.S. surveillance authorities could access EU personal data in violation of the GDPR in light of Schrems II.
On October 9, a very short Ministerial Order was hastily published to explicitly prohibit the Health Data Hub from transferring personal data to third countries outside the EU.
On October 14, 2020, the Conseil d’Etat published its decision in the lawsuit initiated by the CNLL (“Conseil National du Logiciel Libre” - a union of open source software providers) and other syndicates and professional associations requesting that the Health Data Hub be suspended for the purpose of putting an end to unlawful interference with the right to privacy and the protection of personal data.
One of the pivotal arguments of the requesters against the setting up of the Health Data Hub is that Microsoft Azure was chosen to host the data (agreement with Microsoft Ireland executed on April 15, 2020), which, according to them was unlawful since the CJEU's decision in Schrems II that invalidated the EU-U.S. Privacy Shield.
In its opinion, the CNIL adopted a strict and expansive position on the consequences of Schrems II decision, certainly in order to influence the future guidelines from the European Data Protection Board (EDPB). The Conseil d’Etat was not bound by CNIL’s position and chose to diverge. The Conseil d’Etat ruled that (i) the Health Data Hub hosting by Microsoft should not yet be suspended and (ii) Microsoft has 15 days to demonstrate that its hosting and processing does not entail any transfer of personal data outside of the EU.
The Conseil d’Etat decision
- The Conseil d’Etat notes that, following the CJEU’s Schrems II ruling, EU-U.S. personal data transfers can no longer be carried out pursuant to the Privacy Shield and Standard Contractual Clauses can only be used if there are appropriate safeguards for the data subjects’ rights. Any transfer of EU personal data to the U.S. by a company subject to access requests from U.S intelligence services is likely to violate the GDPR unless:
- appropriate safeguards pursuant to Article 46 GDPR have been implemented to cover such transfers together with the supplementary measures required in light of the Schrems II ruling; or
- such transfers are justified by Article 49 GDPR derogations.
- The Conseil d’Etat concludes that the Health Data Hub’s health data is not subject to transfers to the U.S. pursuant to the agreement between the Health Data Hub and Microsoft.
- The Conseil d’Etat notes that the Ministerial Order dated October 9, 2020 prohibits the Health Data Hub from transferring any personal data outside the EU.
- Microsoft and the Health Data Hub had entered into a contractual addendum prior to the decision (on September 3, 2020) providing that Microsoft will not process Health Data Hub personal data outside the geographical area defined in the agreement and the Health Data Hub committed to refuse any EU-US transfer. The only data that could be transferred outside the European Union is telemetry data, to monitor the proper functioning of the services offered by Microsoft, and billing data. Thus, the Conseil d’Etat expects that the Health Data Hub would not be forced to allow transfers of health data.
- The Conseil d’Etat acknowledges that there is a risk that Microsoft could be compelled to provide data to US authorities requests by providing some data. The Conseil d’Etat also makes reference to the CNIL’s opinion of October 8, 2020 in which it indicates that risks of requests from US authorities cannot be excluded and although Microsoft applied security measures such as encryption, it cannot be totally excluded that Microsoft can access to the Health Data Hub data and answer to the US authorities requests by providing some data.
- But, despite its findings, the Conseil d’Etat still assesses risks that Health Data Hub could violate GDPR in light of Schrems II:
- in the Schrems II case, the CJEU only ruled about the transfers of personal data to the US and did not prohibit the processing of personal data, on the European Union territory, by U.S. companies or subsidiaries of U.S. companies;
- there is no direct violation of the GDPR yet, but there is a risk of such a violation if Microsoft was not in a position to oppose access requests from U.S. surveillance authorities;
- data in the Health Data Hub is pseudonymised and encrypted, which limits the possibility of access;
- the operation of the Health Data Hub and underlying processing activities are performed for important reasons of public interests in particular because of the COVID-19 health crisis. Thus, Microsoft’s hosting of the Health Data Hub can be justified on the grounds of public interests provided that there is no other satisfying technical alternative.
- Due to the urgent need to set up the Health Data Hub, and following from its risk assessment, the Conseil d’Etat recommends corrective measures rather than suspension of the agreement.
- The Conseil d’Etat, ruling in summary proceedings finds that it cannot suspend the hosting of the Health Data Hub by Microsoft as it does not entail a serious and manifestly unlawful interference with a fundamental right by a legal person governed by public law.
- Therefore, the Conseil d’Etat does not grant the requested suspension of Microsoft’s hosting activities. However, the Conseil d’Etat requests the production within 15 days of a copy of the new data protection addendum to be entered into between Microsoft and the Health Data Hub which must (i) provide that all Microsoft services are subject to an EU Law and relevant Member State Law and (ii) confirm that no services provided by Microsoft will entail EU-US personal data transfers.
Analysis of the Conseil d’Etat Decision
- The Conseil d’Etat’s decision is very context-specific with a narrow scope limited to public health data processing on the Health Data Hub. The decision was taken under “summary” proceedings, which would require the claimants to show urgency for seeking to terminate the contract. Public interest (especially the COVID-19 health crisis) is a key element factored into the decision. In these circumstances, and on the balance, the Conseil d’Etat did not find an urgency in terminating the contract.
- While waiting for the collective position of the EDPB on additional measures to carry out lawful international transfers of EU personal data in light of the Schrems II ruling and the publication of the European Commission's new set of Standard Contractual Clauses (SCCs) , the following takeaways follow from the Conseil d’Etat’s decision:
- CNIL’s position was essentially saying that the mere risk of requests under FISA and EO 12333 made the processing of EU personal data by Microsoft (or any provider subject to U.S. law) illegal, even if the data remained in the EU. The Conseil d’Etat did not follow CNIL’s reasoning and found instead that the Schrems II ruling does not mean that processing by a U.S. provider in the territory of the EU is not in itself a violation of the law;
- The Conseil d’Etat found in the case at hand that where the additional measures (in addition to SCCs) under Article 46 GDPR cannot be implemented, potential EU-U.S. transfers pursuant to access requests by U.S. intelligence authorities be justified pursuant to Article 49 GDPR derogations (e.g., public interest in the present case).
Next steps
- Microsoft and the Health Data Hub will have to agree on a new addendum providing the safeguards requested by the Conseil d’Etat by the end of October. But,
- the French Secretary of State for Digital, Cédric O, announced ahead of the Conseil d’Etat decision that the French government was looking to transfer the Health Data Hub to French or European platform.
- This is highly political, but very few Cloud providers could match the Health Data Hub prerequisites in terms of security and confidentiality from a technical standpoint. It is possible that there would not be many alternatives to take on a project of this magnitude with all the necessary privacy considerations and safeguards.
Authored by Patrice Navarro and François Zannotti.